Russian hacker handed 27 years, 'longest sentence ever', in US courts

Roman Seleznev, a Russian born master hacker, has been sentenced to 27 years in prison for the unprecedented scale of his financial crimes.

A Russian national has been handed the ‘longest sentence ever'. A US court sentenced Roman Seleznev on 22 April to 27 years in prison for stealing nearly US$170 million (£132 million) from over 3700 banks worldwide.

Seleznev, known as Track2 in the world of cyber-criminality, was convicted in 2016 of 38 counts including wire fraud and aggravated identity theft. More specifically, Seleznev hacked into point of sale devices, the kind of machines used every day to process any number of card transactions in-store, and stole private credit card numbers from over 500 US businesses.

The 32-year-old Russian national was particularly fond of targeting financial institutions and small businesses, some of which went into bankruptcy after Seleznev was done with them. After stealing the data, Seleznev would send it back to his servers in Ukraine, Russia and Virginia before selling it on to other cyber-criminals, through two automated vending sites created by the hacker. This, according to his prosecutors, made buying stolen credit card data “as easy as buying a book on Amazon.”

When Seleznev was arrested in the Maldives in 2014, law enforcement seized a laptop containing 1.7 million credit card numbers.

The sheer scale of Seleznev's activities surely contributed to what has been called the longest sentence ever for hacking. Over two years, Seleznev proved a difficult defendant to try. He got rid of six sets of defense lawyers, rejected plea deals handed to him and committed perjury. He was also judged to pose a high risk of reoffending, should he return to Russia. However, the 27 years that Seleznev was given still fell below the 30 years that prosecutors asked for.

Court documents name Seleznev as “one of the most revered point-of-sale hackers in the criminal underworld”, and prosecutors recommended the unprecedented sentence of three decades, in line with Seleznev's crimes: “Never before has a criminal engaged in computer fraud of this magnitude been identified, captured, and convicted by an American jury.”

Simply put, the prosecutors added, “Roman Seleznev has harmed more victims and caused more financial loss than, perhaps, any other defendant that has appeared before the Court.”

Commenting on the sentence, acting assistant attorney general Blanco said, “we will not tolerate the existence of safe havens for these crimes – we will identify cyber-criminals from the dark corners of the Internet and bring them to justice.”

The statement released by the Department of Justice (DoJ) of his sentencing gives credit to the “extraordinary collaborative effort” by the Secret Service, US Attorney's Office and the Seattle Police department.

The sentencing coincides with the indictment of the alleged spam king, hacker and master of the Kelihos botnet, Peter Levashov, in a similar international crackdown on foreign cyber-criminals. US attorney Annette L. Hayes noted, “The notion that the internet is a Wild West where anything goes is a thing of the past. As Mr. Seleznev has now learned, and others should take note – we are working closely with our law enforcement partners around the world to find, apprehend, and bring to justice those who use the internet to steal and destroy our peace of mind.”

Seleznev may yet have more years piled on top of that 27-year sentence. He still faces organised crime related charges in Nevada and a variety of fraud charges in Georgia.